Switching from http to https in iOS App brings up Export Compliance issues when publishing

Asked 18/8, 2016 at 14:15 Answered 25/1, 2018 at 5:51

Solved ios https publishing app-transport-security

We recently decided to update a couple of our apps this summer to switch them from http to https in order to follow the new Apple guidelines which go into affect January 2017.

The only thing transferred to and from the app is product information, no user info or anything even remotely sensitive. But we want to comply early so that we don't have to worry about it later.

The question:

Apple seems to be forcing us to deal with US Export Compliance law which requires us to get an approval for an Exporter Registration Number (ERN), and a SNAP-R which requires a Company Identification Number (CIN). I think, I am no lawyer.

Now this question was somewhat answered here but that was more than 3 years ago, and if I understand what is happening, everyone who makes an http connection with their app and has it available outside the US is going through this.

If that's the case then I would would have expected a very clear explanation on what switching to https will require for most iOS app developers.

However I have not found much on this and I am confused on what the exact requirements are (if any).

Any counsel is appreciated.

Menstruation answered 18/8, 2016 at 14:15 Comment(2)

I'm not sure you are going to get advice on this, since it is a gray area in terms of legal implications. I will say that getting an ERN / SNAP-R seems pretty easy to do: chatmap.io/blog/iPhone-iTunes-ERN-Encryption.php – Undershirt 22/8, 2016 at 18:35

An even more detailed tutorial, along with how to get a CIN: pupeno.com/2015/12/15/… – Undershirt 22/8, 2016 at 18:38

Disclaimer: These were my results after many rounds of emails with different export control team members, however these results are specific to our own apps and may not be applicable to others.

Short answer: Despite having an encrypted database using SQLCipher and using HTTPS for all of our data transfers, our apps Export Control Classification Number (ECCN) is "EAR99" meaning they do not need any US export license (no SNAP-R). Hit that publish button!

More details: My company employ a third-party company that specializes in classifying products that are meant to be exported. After finding that out I submitted all of our app information to them and they decided that we did not fall under the export control umbrella.

Menstruation answered 13/9, 2016 at 13:15 Comment(3)

how does this relate to @SuprMan answer? I have seen such a message as well, and it is very upfront – Celestine 27/4, 2018 at 10:57

@Antek, I am not sure how SuprMan was answering the question. But you are right: Apple is really upfront with the message yet when i was working on the issue there was very little information provided on what a "year-end self classification report" is and how to create one. In the end, as stated in my answer, our app was classified as EAR99 which means it doesn't need to submit a classification report despite it using HTTPS to make calls. So I have no idea why Apple provides that somewhat scary/strange requirement... – Menstruation 14/5, 2018 at 18:47

I see, thanks a lot from first-hand experience report! – Celestine 15/5, 2018 at 6:57

When uploading a app to iTunes Connect it says:

If you are making use of ATS or making a call to HTTPS please note that you are required to submit a year-end self classification report to the US government

Abrasion answered 25/1, 2018 at 5:51 Comment(0)

Recommended topics

Hot tags